iPhone SMS bug said to be serious threat
Attacker able to send text message that seems to come from a trusted source, says security researcher
By Antone Gonsalves
November 05, 2012 — CSO — Security on the iPhone is heavily dependent on Apple's ability to vet all third-party apps before users download them. But a French hacker claims he has found a flaw in the smartphone's text messaging service that bypasses the safeguard.
The hacker, who calls himself "pod2g" and is best known for jailbreaking iPhones, said Friday that the vulnerability could let an attacker send a message pretending to be from a bank, credit card company or other trusted source.
Because the flaw does not involve code execution, an attacker does not need to get malware pass Apple, which approves all mobile apps before they are sold on the App Store, the only legitimate site for downloading software for Apple mobile devices.
Pod2g, a self-professed iPhone security researcher, said the flaw is "severe" and affects all current versions of iOS and iOS 6 beta 4. IOS is the iPhone and iPad operating system.
"I am pretty confident that other security researchers already know about this hole, and I fear some pirates as well," he said in a blog post.
Apple did not respond to a request for comment.
Tyler Shields, a senior security researcher at Veracode, told the Kaspersky Lab blog that the flaw needs attention.
"At first glance, this type of flaw seems tame, but in reality it can be used very effectively in spoofing and social engineering based threat models," Shields said. "I would rate this attack a medium severity because it relies on tricking the user into doing something specific based on a falsified level of trust."
[In depth: Which smartphone is the most secure?]
When a text message is sent through the iPhone SMS (short messaging service), the phone typically converts it to a protocol called Protocol Description Unit (PDU) before the carrier ships it to the telephone number of the recipient.
Within the text payload is a section called User Data Header (UDH) that enables someone to change the reply address of the text, pod2g said. An attacker could use this flaw to show a reply number that is different from where the responding text would actually go.
"In a good implementation of this feature, the receiver would see the original phone number and the reply-to one," pod2g said. "On iPhone, when you see the message, it seems to come from the reply-to number, and you loose track of the origin."
As a result, an attacker could send a message that seems to come from a bank or other trusted source. This would enable the criminal to either seek personal information or direct the recipient to a phishing website.
Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.